Vendor Risk • Compliance • Supply Chain Security

Vendor Risk Quick Assessment Tool

Assess third-party vendor security maturity, privacy readiness, supply-chain exposure, and onboarding priority in minutes.

NIST C-SCRM CISA SCRM UK NCSC GDPR NIS2 DORA ISO 27001 / SOC 2

100point score

Privacy-first: answers are calculated in the browser only. This tool does not store submissions, set cookies, or call external APIs.

Vendor profile

Vendor name Assessment region Global / International European Union / EEA United Kingdom United States Canada Australia / New Zealand Switzerland Singapore UAE / GCC Your sector General business Financial services / fintech Healthcare / life sciences Education E-commerce / retail Public sector / nonprofit Critical infrastructure Technology / SaaS Vendor service type SaaS / cloud application Data processor / analytics Managed service provider Cloud / infrastructure provider Software supplier / API AI / automation provider Professional services

1. Inherent vendor exposure

Business criticality How much would your organization, customers, or operations be affected if this vendor failed?

Low impactImportant but replaceableSupports key operationsCritical, regulated, or customer-facing

Data sensitivity What type of data will the vendor access, store, process, transmit, or support?

Public or no dataInternal business dataPersonal/customer dataSpecial category, financial, health, children, payment, or regulated data

System access level What technical access will the vendor receive?

No system accessLimited user accessAPI, integration, or privileged workflow accessAdmin, production, endpoint, network, or source-code access

Dependency and lock-in How difficult would replacement, migration, or temporary operation be?

Easy to replaceModerate replacement effortHard to replace quicklySingle point of failure or major lock-in

2. Core security controls

Multi-factor authentication MFA should protect administrators and users who can access sensitive systems or customer data.

No MFAOptional or SMS-onlyRequired for admins onlyStrong MFA required for all relevant users

Identity and access management Look for SSO, RBAC, least privilege, joiner/mover/leaver controls, and periodic access review.

No formal controlBasic roles onlyRBAC and some reviewSSO, RBAC, least privilege, and regular review

Independent security evidence Recent SOC 2 Type II, ISO 27001, Cyber Essentials, CSA CAIQ, pen-test summary, or equivalent assurance.

No evidence sharedMarketing/security page onlyPartial or outdated evidenceRecent independent evidence available

Encryption and key protection Confirm encryption in transit and at rest, key management, tenant separation, and secret handling.

Not documentedTLS onlyTLS plus storage encryptionStrong encryption with documented key controls

Logging and monitoring Security logs, admin audit trails, alerting, retention, and customer-accessible audit evidence.

No useful logsBasic app logsSecurity logs and admin audit trailCentral monitoring, alerting, and retention

Vulnerability and patch management Regular scanning, patch SLAs, secure configuration, penetration testing, and remediation tracking.

No processAd hoc patchingDefined patch SLAsRisk-based scanning, SLAs, and verification

Secure development and change control Code review, dependency security, secrets scanning, change approval, and secure release process.

Not documentedInformal development controlsDefined SDLC and change processSecure SDLC with dependency and release controls

Infrastructure and endpoint hardening Hardening, EDR/anti-malware, configuration baselines, cloud security posture, and network segmentation.

UnknownBasic controls onlyDocumented hardening and endpoint controlsManaged hardening, EDR, segmentation, and review

3. Privacy, contracts, and governance

Privacy terms and data processing agreement DPA, roles, processing purpose, security obligations, deletion, breach notice, and audit cooperation.

No DPA or unclear termsGeneric terms onlyDPA available with some limitsClear DPA with security, deletion, audit, and notice terms

Data residency and cross-border transfers Know where data is stored, processed, supported, and transferred, including safeguards for international transfers.

Unknown locationsBroad global transfersLocations disclosed with some safeguardsDocumented residency and transfer safeguards

Subcontractors and fourth parties List of subprocessors, notification of changes, flow-down security obligations, and subcontractor oversight.

Unknown subcontractorsList onlyList plus change noticeManaged subprocessors with flow-down controls and objection process

Contractual assurance and audit rights Security addendum, SLAs, incident notification, audit rights, right to evidence, liability, and termination assistance.

No assurance termsMinimal standard termsSome assurance and SLAsClear security addendum, audit rights, SLAs, and exit terms

AI and secondary data use Confirm whether customer data is used for AI training, profiling, analytics, model improvement, or resale.

Unknown or unrestricted useBroad reuse termsDisclosed with opt-outNo training/reuse without written permission

Public trust and transparency Clear security page, trust center, vulnerability disclosure, compliance evidence request path, and responsible contact.

No clear security contactBasic support contact onlySecurity page or trust centerTrust center, disclosure process, and security contact

4. Resilience and incident readiness

Incident response and customer notification Documented incident response, escalation path, customer notification timeline, and lessons learned.

No incident processInformal process onlyDocumented process and contactsTested process with clear customer notification

Backup, disaster recovery, and business continuity Backups, restore testing, RTO/RPO, continuity plan, and service restoration evidence.

No documented recoveryBackups but not testedRecovery targets and periodic testsTested DR/BCP with clear RTO/RPO

Breach, enforcement, and unresolved findings Recent breaches, regulatory enforcement, repeated outages, unresolved audit findings, or known security gaps.

Recent serious unresolved issuePast issue with limited detailPast issue resolved with evidenceNo material issue disclosed or strong remediation evidence

Security support and escalation Security owner, escalation contacts, response SLAs, vulnerability reporting, and account management support.

No security support pathGeneral support onlyNamed support pathSecurity escalation path with response SLAs

Calculate Vendor Risk Copy Report Print / Save PDF Reset

Vendor Risk Quick Assessment Tool: 7 Powerful Safety Checks

Vendor Risk Quick Assessment Tool helps you check whether a vendor, supplier, SaaS platform, freelancer, agency, software provider, cloud service, or business partner is safe enough to trust before you share sensitive data, give account access, or sign a contract.

Most businesses now depend on third parties. You may use one vendor for hosting, another for email marketing, another for payments, another for payroll, and another for customer support. This makes work easier, but it also creates a serious security question:

Can this vendor protect your data, customers, accounts, and business reputation?

The Vendor Risk Quick Assessment Tool helps answer that question in a simple way. It gives you a quick vendor security score, highlights weak areas, and shows what you should ask before approval. You do not need to be a cybersecurity expert. The goal is to help normal business owners, website owners, agencies, startups, compliance teams, and IT managers make safer vendor decisions.

7 Powerful Vendor Safety Checks

1. Check Multi-Factor Authentication

A trustworthy vendor should use multi-factor authentication, especially for admin accounts, cloud dashboards, support portals, developer accounts, and systems that store sensitive data.

If a vendor only depends on passwords, risk is higher. Passwords can be stolen through phishing, malware, credential leaks, weak password reuse, or social engineering.

User action: Ask the vendor whether MFA is required for all privileged accounts.

2. Check SOC 2 or ISO 27001 Evidence

Security evidence helps prove that a vendor has formal controls. Common examples include SOC 2 reports, ISO 27001 certificates, security whitepapers, penetration test summaries, and information security policies.

A vendor that handles important business or customer data should be able to explain its security controls clearly. ISO/IEC 27001 is widely used as an international information security management standard, and NIST supply-chain guidance focuses on identifying, assessing, and reducing supplier cybersecurity risk.

User action: Ask for SOC 2 Type II, ISO 27001, or another security evidence document.

3. Check Breach History

A past breach does not automatically mean a vendor is unsafe forever. What matters is whether the vendor was transparent, fixed the weakness, improved controls, and notified affected customers properly.

A vendor that avoids breach-history questions should be reviewed carefully.

User action: Ask whether the vendor has experienced a security incident in the last three years and what improvements were made.

4. Check Data Encryption

Encryption helps protect sensitive information when it is stored and when it travels between systems. This is important for personal data, financial records, customer accounts, confidential files, source code, login information, and business documents.

A vendor should be able to explain encryption in simple terms. If the vendor cannot explain how data is protected, that is a warning sign.

User action: Ask whether data is encrypted in transit and at rest.

5. Check Logging and Monitoring

Logging helps detect unusual activity, unauthorized access, suspicious account behavior, and possible security incidents. Without logs, it may be difficult to understand what happened after a breach.

Monitoring is especially important for SaaS vendors, cloud platforms, payment services, hosting companies, and vendors with admin access.

User action: Ask whether the vendor monitors suspicious access and keeps audit logs.

6. Check Backup and Recovery

If a vendor suffers ransomware, system failure, accidental deletion, or cloud outage, it should have a recovery plan. A vendor that cannot recover quickly may create downtime for your business.

Backup and recovery are not only technical issues. They directly affect revenue, customer trust, and service availability.

User action: Ask how often backups are performed and how quickly services can be restored.

7. Check Subcontractor and Subprocessor Controls

Many vendors depend on other vendors. These are often called subcontractors, subprocessors, or fourth parties. If your vendor sends data to another company, you should know who that company is and how risk is controlled.

For personal data, GDPR Article 28 includes processor and subprocessor obligations, including controls around engaging another processor.

User action: Ask for a subprocessor list and notification process for changes.

Vendor Risk Score Meaning

The Vendor Risk Quick Assessment Tool gives a simple risk result so users can take action quickly.

Low Risk

The vendor appears to have reasonable security controls. You may still need normal business approval, contract review, or privacy review, but there are no major warning signs.

Medium Risk

The vendor has some good controls, but important evidence may be missing. Ask for more documentation before approval.

High Risk

The vendor may create serious security, privacy, or operational risk. Do not approve without review from IT, legal, compliance, or management.

Critical Risk

The vendor should not receive sensitive data, admin access, or business-critical permissions until major security gaps are fixed.

Vendor Evidence Checklist

Before approving a vendor, ask for useful evidence. This protects your business and helps you make a better decision.

Ask for:

• SOC 2 Type II report
• ISO 27001 certificate
• Security policy summary
• Privacy policy
• Data Processing Agreement
• Subprocessor list
• MFA policy
• Encryption statement
• Access control policy
• Backup and disaster recovery summary
• Incident response plan
• Breach notification process
• Vulnerability management summary
• Penetration test summary
• Data retention and deletion policy

A strong vendor should not hide basic security information. If the vendor refuses to answer reasonable questions, slow down before approval.

Vendor Red Flags You Should Not Ignore

Be careful if a vendor:

• Does not use MFA
• Cannot provide security evidence
• Refuses to answer breach-history questions
• Has no incident response process
• Cannot explain encryption
• Uses unknown subcontractors
• Has unclear data storage locations
• Requests unnecessary admin access
• Has no backup or recovery process
• Has no privacy policy
• Has unclear contract terms
• Cannot explain how your data is deleted after cancellation

These signs do not always mean the vendor is dangerous, but they do mean you should ask more questions before sharing data or access.

International Compliance Considerations

The Vendor Risk Quick Assessment Tool is designed for practical global use. It can support early vendor review for businesses working across the US, UK, Canada, Australia, Europe, UAE, Singapore, and other high-value markets.

For EU and UK users, vendor review is closely connected to privacy, data processing, subcontractor controls, and supplier oversight. For financial-sector users in the EU, DORA focuses on ICT third-party risk and operational resilience oversight.

For UK users, the NCSC supply-chain guidance recommends understanding supplier risks, establishing control, checking arrangements, and continuously improving supply-chain security.

The tool does not replace legal advice or a full audit. It helps users identify early risk, ask better questions, and decide whether a vendor needs deeper review.